{"id":28230,"date":"2014-12-23T13:45:11","date_gmt":"2014-12-23T18:45:11","guid":{"rendered":"http:\/\/www.opensource.im\/uncategorized\/doh-wikileaks-pdf-viewer-springs-xss-vuln.php"},"modified":"2014-12-23T13:45:11","modified_gmt":"2014-12-23T18:45:11","slug":"doh-wikileaks-pdf-viewer-springs-xss-vuln","status":"publish","type":"post","link":"https:\/\/euvolution.com\/open-source-convergence\/wikileaks\/doh-wikileaks-pdf-viewer-springs-xss-vuln.php","title":{"rendered":"Doh! WikiLeaks&#8217; PDF viewer springs XSS vuln"},"content":{"rendered":"<p><p>    Wikileaks' Flash-powered PDF reader has sprung a vulnerability    or two.  <\/p>\n<p>    The whistle-blowing website uses an open source Flash library    called FlexPaper to display PDF files. Unfortunately various    coding errors left FlexPaper open to    cross site scripting and content spoofing.  <\/p>\n<p>    Developers behind the open source web based document viewer    software have developed a patch to resolve the bugs.  <\/p>\n<p>    We have confirmed this XSS security vuln in our GPL flash    viewer and patched it. New version: <a href=\"http:\/\/static.devaldi.com\/GPL\/FlexPaper_2.3.0.zip\" rel=\"nofollow\">http:\/\/static.devaldi.com\/GPL\/FlexPaper_2.3.0.zip<\/a>,    FlexPaper told El Reg. Most Flash security holes were    patched in flash version 9 and FlexPaper requires Flash 11 but    we have confirmed this XSS.  <\/p>\n<p>    The discovery of the bugs by security researcher Francisco    Alonso has provoked    <a href=\"http:\/\/www.wikileaks-forum.com\/security-support\/608\/-flexpaper-pdf-viewer-used-on-wikileaks-org-presents-security-risk-for-users\/32700\/msg66862#msg668621:3\" rel=\"nofollow\">http:\/\/www.wikileaks-forum.com\/security-support\/608\/-flexpaper-pdf-viewer-used-on-wikileaks-org-presents-security-risk-for-users\/32700\/msg66862#msg668621:3<\/a>    on WikiLeaks' forums that the vulnerabilities might be abused    to de-cloak users, threatening the privacy of WikiLeaks users    in the process.  <\/p>\n<p>    Hackers (state sponsored or otherwise) might use Flash    components specifically to de-cloak users. It might also be    possible to post links to external content as part of attempts    to (further) discredit WikiLeaks. Issues similar to the use by    the Feds of Metasploit modules to     uncover the identities of Tor users are feared.  <\/p>\n<p>    Given the fact that most browsers use plugins to enable the    reading of PDFs, we strongly urge Wikileaks to link directly to    PDF files instead of using third party software that could put    users at risk, a WikiLeaks forum member advised.  <\/p>\n<p>    WikiLeaks did not respond to our requests for comment.   <\/p>\n<p>    Sponsored:     Todays most dangerous security threats  <\/p>\n<p><!-- Auto Generated --><\/p>\n<p>Read the original:<br \/>\n<a target=\"_blank\" href=\"http:\/\/go.theregister.com\/feed\/www.theregister.co.uk\/2014\/12\/23\/wikileaks_pdf_viewer_vuln\" title=\"Doh! WikiLeaks' PDF viewer springs XSS vuln\">Doh! WikiLeaks' PDF viewer springs XSS vuln<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> Wikileaks' Flash-powered PDF reader has sprung a vulnerability or two. The whistle-blowing website uses an open source Flash library called FlexPaper to display PDF files<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50],"tags":[],"class_list":["post-28230","post","type-post","status-publish","format-standard","hentry","category-wikileaks"],"_links":{"self":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/posts\/28230"}],"collection":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/comments?post=28230"}],"version-history":[{"count":0,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/posts\/28230\/revisions"}],"wp:attachment":[{"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/media?parent=28230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/categories?post=28230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/euvolution.com\/open-source-convergence\/wp-json\/wp\/v2\/tags?post=28230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}